On May 12, 2026, Colorado lawmakers passed SB 26‑189 (the “2026 Law”), a sweeping rewrite of the state’s landmark artificial intelligence law. The bill repeals and replaces much of the framework enacted as SB 24‑205 in 2024 (the “2024 Law”), narrowing some of the more burdensome requirements and shifting the focus to transparency, consumer notice, and consumer rights when automated decision-making tools are used in high-impact contexts.
In May 2024, Colorado became the first U.S. state to enact a comprehensive, cross‑sector Artificial Intelligence law with the passage of the 2024 Law. That measure regulated “high‑risk artificial intelligence systems” involved in “consequential decisions” in areas including employment, housing, credit, insurance, healthcare, education, and essential government services. The 2024 Law imposed mandatory impact assessments, risk-management programs, bias mitigation measures, and incident reporting obligations enforced by the Colorado Attorney General. With the law slated to take effect in February 2026, lawmakers postponed its effective date to June 30, 2026 to consider amendments, and a federal district court later approved a joint request to stay enforcement while legislative and regulatory developments continued.
The 2026 Law shifts the focus away from “high‑risk AI systems” to “automated decision‑making technology” that uses personal data to make or assist consequential decisions concerning individuals. It applies across sectors including employment, education, housing, financial and lending services, insurance, healthcare, and public benefits, while continuing to distinguish between developers and deployers. If signed, most operational requirements would take effect on January 1, 2027. The 2026 Law also authorizes the Attorney General to engage in rulemaking to clarify or implement the law’s requirements, and directs the Attorney General to adopt most such rules by January 1, 2027.
A central change is the removal of several core compliance obligations from the 2024 regime. The 2026 Law eliminates mandatory impact assessments, ongoing bias audits, developer and deployer risk-management programs, and affirmative defenses tied to formal risk-management frameworks. In their place, the measure creates disclosure- and rights-based obligations. Developers must provide deployers with documentation on intended uses, limitations, and material updates. Deployers must give clear notice when automated decision-making technology is used to materially influence a consequential decision and must provide post-decision disclosures after adverse outcomes, including an explanation of the system’s role.
The new framework also gives affected individuals rights tied to adverse automated decisions. Consumers may request information to access or correct personal data used by the system in line with rights under the Colorado Privacy Act, and may request meaningful human review and reconsideration of the consequential decision if it is commercially reasonable. On discrimination, the law removes the 2024 Law’s new affirmative duty to avoid algorithmic discrimination, but confirms that developers and deployers may still face liability under existing anti-discrimination laws, with fault allocated based on relative responsibility.
Enforcement remains exclusively with the Colorado Attorney General. Unlike the 2024 Law, the 2026 Law expressly states that there is no private right of action for violations. The bill also introduces a 60-day cure period for violations and requires annual reporting on enforcement activity. SB 26‑189 now goes to Governor Polis, who is expected to sign it, while further attention shifts to rulemaking and the pending litigation that could affect enforcement timing beyond January 1, 2027.
